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(54) Rewriting system for vehicle controller 



(57) The rewriting system for rewriting data stored 
in a memory (16) of a vehicle controller (10) with new 
data is provided. The rewriting device (1 1 ) .is capable of 
communicating with the vehicle controller. The rewriting 
device enters a waiting state in which there is no ex- 
change of message between the vehicle controller and 
the rewriting device. The rewriting device is in a waiting 
state until a predetermined waiting time has elapsed 
from the time at which a signal for requesting the vehicle 
controllerto delete the data or write the new data is sent : 
or from the time at which a signal indicative of start of* 



deleting operation of the data or writing operation of the 
new data is received. Thus, an erroneous determination 
of offline due to a busy state of the vehicle controller 
caused by deleting or writing operation is avoided. It is 
preferable that the predetermined waiting time for delet- . 
ing operation is the time necessary to delete the data 
stored in the memory and the predetermined waiting 
time for writing operation is the time necessary to write 
the new data into the memory. This enables the waiting 
time to be optimized in accordance with the specification 
of the memory. 
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Description 

[0001] The present invention relates to a system for 
rewriting a program or data stored in a memory of a ve- 
hicle controller with other program or data transferred 
from an external rewriting device. 
[0002] Vehicles are subjected to various types of con- 
trol by an electronic control unit (hereafter referred to as 
"ECU"). Such control includes engine-related control of 
an air fuel ratio, fuel injection amount, and emission as 
well as body-related control for a power window, an air 
bag, and an ABS. The ECU provides various types of 
control for the vehicle based on current conditions and 
traveling conditions of the vehicle sensed by various 
sensors mounted on the vehicle. 

[0003] The ECU comprises a central processing unit 
(CPU), a ROM (Read Only Memory) that stores pro- 
grams and data to be executed, a RAM (Random Ac- 
cess Memory) which provides a work area for execution 
and which stores results of computation, and an I/O in- 
terface for receiving signals from various sensors and 
transmitting control signals to various parts of the en- 
gine. 

[0004] A system wherein a rewritable and non-volatile 
memory, such as a flash memory, an EEPROM, or an 
EPROM, is used as the ROM to allow a program or data 
to be rewritten through serial communication is known. 
Such a system typically comprises a rewriting device, 
an ECU and a serial communication path connecting 
them together. Rewriting is achieved by deleting data 
stored in the rewritable memory mounted on the ECU 
and writing new data transferred from the rewriting de- 
vice via serial communication into the memory. By way 
of example, Japanese Patent Application Laid-Open 
No. 63-223901 describes a method for changing a pro- 
gram stored in the EEPROM of the ECU in response to 
a request from an external device via a SCI (Serial Com- 
munication Interface) terminal with the ECU being 
mounted on the vehicle. 

[0005] Generally, deleting and writing operation on a 
non-volatile memory such as a flash memory and EEP- 
ROM requires a relatively large amount of time. The 
ECU may be busy during deleting or writing operation. 
As a result, the ECU may not be able to respond to the 
rewriting device. When there is no response from the 
ECU for a predetermined period, the rewriting device 
determines that communication between the ECU and 
the rewriting device is offline. 

[0006] FIGS. 5 and 6 show a typical method for rewrit- 
ing a program stored in a memory of the ECU. FIG. 5 is 
a flow chart showing the process performed by the re- 
writing device, and FIG. 6 is a flow chart showing the 
process performed by the ECU. 

[0007] In response to a request for deleting operation 
from the rewriting device (501 ). the ECU sends a signal 
to the rewriting device indicative of start of deleting op- 
eration (552) and deletes a program stored in a memory 
of the ECU (553). In response to the signal indicative of 



start of deleting operation, the rewriting device requests 
the result of the deleting operation (505). If the deleting 
operation has not been completed, the ECU sends a sig- 
nal to the rewriting device indicating that the deleting 

5 operation is in progress (556). If the deleting operation 
has been completed, the ECU sends a signal indicative 
of completion of the deleting operation (557). 
[0008] Similarly, writing operation is carried out. In re- 
sponse to a request for writing operation from the rewrit- 

10 ing device (521 ), the ECU sends a signal to the rewriting 
device indicative of start of writing operation (562) and 
writes a new program to the memory of the ECU (563). 
In response to the signal indicative of start of writing op- 
eration, the rewriting device requests the result of the 

is writing operation (525). If the writing operation has not 
been completed, the ECU sends a signal to the rewriting 
device indicating thatthe writing operation is in progress 
- (566). If the writing operation has been completed, the 
ECU sends a signal indicative of completion of the writ- 

20 ing operation (567). 

[0009] At step 50g or 529, if the response from the 
ECU indicates that the deleting or writing operation is in 
progress, the process returns to step 505or525. If the 
response from the ECU indicates that the deleting or 

25 writing operation has been completed, the process pro- 
ceeds to the following step 51 0 or 530. In this way, the 
rewriting device determines whether deleting or writing 
operation is being performed or has been completed by 
sending a request for the result of the deleting or writing 

30 operation and by receiving a response to the request. 
Even if the deleting or writing operation is being per- 
formed, an erroneous determination of offline is not 
made as long as there is a response from. the ECU. 
[0010] FIG. 7 shows two typical forms of a non-volatile 

35 memory mounted on the ECU. FIG. 7(a) shows a form 
in which a flash memory 216. which is a non-volatile 
memory, is provided independently of a CPU 214. In oth- 
er words, the flash memory 216 is mounted on a chip 
different from the CPU 214. The flash memory 216 is 

■*o coupled to a chip of a microcomputer where the CPU is 
mounted via an external bus 205. When the ECU 210 
receives a request for deleting or writing operation on 
the flash memory 216 from the rewriting device 211 , the 
operation is performed by an input/output controller (not 

<*5 shown) that controls input/output through the external 
bus 205. In this way since delete or write control on the 
flash memory 216 is performed independently of the 
CPU, the CPU does not become busy during deleting 
or writing operation. 

50 [0011] FIG. 7(b) shows another form in which the flash 
memory 216-and the CPU 214 are provided on a single 
chip to constitute one chip microcomputer. The flash 
memory 216 is coupled to the CPU 214 via an interna! 
bus 207. Deleting or writing operation is performed by 

55 an interface means incorporated in the CPU 214 as a 
function. In this case, the CPU may become busy during 
deleting or writing operation. When the CPU is busy, the 
ECU 210 may be unable to communicate with the re- 
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writing device 211. 

[0012] Recently, in order to reduce costs relating to 
the ECU,, a microcomputer including a non-volatile 
memory, as shown in FIG. 7(b), has been increasingly 
employed. As described above, in this form, a CPU may 5 
become busy during deleting or writing operation on a 
non-volatile memory. When the ECU is busy, it may not 
respond to a request for the result of deleting or writing 
operation from the rewriting device. As a result, even 
though communication between the ECU and the rewrit- 
ing device is normal, the rewriting device may determine 
that the communication is offline if a response from the 
ECU has not been received in a predetermined period. 
Thus, when the CPU of the ECU is busy, the rewriting 
device may make an erroneous determination of offline. 
[0013] It is an object of the invention to provide a re- 
writing system capable of avoiding an erroneous deter- 
mination of offline when deleting or writing operation on 
a non-volatile memory is being performed in the ECU. 
[0014] It is another object of the invention to provide 
a rewriting system improving the efficiency of rewriting. 
[001 5] According to one aspect of the invention, there 
is provided a rewriting device for deleting data stored in 
a memory of a vehicle controller; 

the rewriting device being capable of communicat- 
ing with the vehicle controller and configured to wait 
without communicating with the vehicle controller 
until a predetermined waiting time elapses from the 
time at which a signal for requesting deletion of the 
data is sent to the vehicle controller or from the time 
at which a signal indicative of start of deleting oper- 
ation of the data is received from the vehicle con- 
troller. According to another aspect, there is provid- 
ed a rewriting device for rewriting data stored in a 
memory of a vehicle controller with new data; 
the rewriting device capable of communicating with 
the vehicle controller and configured to wait without 
communicating with the vehicle controller until a 
predetermined waiting time elapses from the time 
at which a signal \oi requesting the vehicle control- 
ler to write the new data is sent to the vehicle con- 
troller or from the time at which a signal indicative: 
of start of writing operation of the new data is re- 
ceived from the vehicle controller. According to an- 
other aspect, there is provided a method for rewrit- 
ing data stored in a memory of a vehicle.controller 
via a rewriting device capable of communicating 
with the vehicle controller; the method comprising: 

sending a request asking the vehicle controller 
to delete the data in the memory; and 
at the rewriting device, waiting until a predeter- 
mined waiting time elapses from the time at 
which the request is sent; 

wherein, during the waiting time, there is no ex- 
change of message between the vehicle controller 



and the rewriting device. According to another as- 
pect, there is provided a^method for rewriting data 
stored in a memory.of a vehicle controller with new 
data via a rewriting device capable of communicat- 
ing with the vehicle controller; the method compris- 
ing: 

sending a request asking the vehicle controller 
to write the new data into the memory; and 
at the rewriting device, waiting until a predeter- 
mined waiting time elapses from the time at 
which the request is sent; 

wherein, during the waiting time, there is no ex- 
change of message between the vehicle controller 
. and the rewriting device. In one embodiment, the 
rewriting device is connected to the vehicle control- 
ler via serial communication. The rewriting device 
sends a signal to the vehicle controller indicative of 
a request for deleting operation of the data or writing 
operation of the new data. In response to the re- 
quest, the vehicle controller sends a signal to the 
rewriting device indicative of start of deleting or writ- 
ing operation and performs the deleting or writing 
operation, respectively. The rewriting device enters 
a waiting state when the request signal is sent or 
when the start signal is received. The rewriting de- 
vice waits until a predetermined waiting time elaps- 
es. For the waiting time, there is no exchange of s 
message between the vehicle controller and the re- 
writing device. When the waiting time has elapsed, 
the rewriting device sends a signal to the vehicle 
controller indicative of a request for the result of the 
deleting or writing operation. Since the rewriting de- 
vice is in a waiting state when deleting or writing 
operation is being performed, an erroneous deter- 
mination of offline due to a busy state of the CPU in 
the vehicle controller can be avoided. 

[001 6] According to one embodiment of the invention, 
the predetermined waiting time for deleting operation is 
the time necessary to delete the data stored in the mem- 
ory. Similarly., the predetermined waiting time for writing 
operation is the time necessary to write the new data 
into the memory. The deleting time and writing time de- 
pend on the specification of the memory. Thus, the wait- 
ing time is optimized in accordance with the specifica- 
tion of the memory. 

[001 7] According to another embodiment of the inven- 
tion, the deleting time is calculated based on the size of 
the data and the specification of the memory., and the 
writing time is calculated based oh the size of the new 
data and the specification of the memory. The calcula- 
tion is implemented in the vehicle controller. 
[001 8] According to another embodiment of the inven- 
lion, the rewriting device acquires the deleting time from 
the vehicle controller and sets it in the waiting time for 
deleting "operation. Similarly, the rewriting device ae- 
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quires the writing time from the vehicle controller and 
sets it in the waiting time for writing operation. This en- 
ables the waiting time to be minimized, thus the efficien- 
cy of rewriting being improved. 

[001 9] Preferred embodiment of the invention will now 
be described, by way of example only, with reference to 
the drawings. 

FIG. 1 is a block diagram showing functional blocks 
of a rewriting system in one embodiment of the in- 
vention; 

FIG. 2 shows an operational procedure of the re- 
writing system in one embodiment of the invention; 
FIG. 3 is a flow chart showing deleting and writing 
operation in a rewriting device in one embodiment 
of the invention; 

FIG. 4 is a flow chart showing deleting and writing 
operation in a vehicle controller in one embodiment 
of the invention; 

FIG. 5 is a flow chart showing conventional deleting 
and writing operation in a rewriting device; 
FIG. 6 is a flow chart showing conventional deleting 
and writing operation in a vehicle controller; and 
FIG. 7 shows a typical form of a CPU and a memory 
in a vehicle controller. 

[0020] A system for rewriting a program stored in a 
non-volatile memory of a vehicle controller will be de- 
scribed referring to attached drawings. The present in- 
vention, however, is not limited to the system but is ap- 
plicable to various systems for rewriting data stored in 
a memory, as defined by the claims. 
[0021] FIG. 1 shows a general functional block dia- 
gram of a rewriting system according to the invention. 
The rewriting system comprises an ECU 10 and a re- 
writing device 11 . The rewriting device 11 is a rewriting 
device authorized by a manufacturer of vehicles on 
which the ECU 1 0 is mounted. By connecting the rewrit- 
ing device 1 1 to the ECU 1 0 via a serial communication 
bus and operating the rewriting device 11, security for 
preventing a program or data stored in the ROM 16 of 
the ECU 1 0 from being rewritten without proper author- 
ization is released. Thus, the rewriting device 11 is al- 
lowed to rewrite a program or data stored in the ROM 16. 
[0022] The ECU 10 comprises a central processing 
unit 14 (hereafter referred to as a "CPU") including a 
microcomputer and associated circuit elements, ROMs 
16 and 17 which are non-volatile memories and which 
store programs and data, a RAM 15 (Random Access 
Memory) which provides a work area for execution and 
which stores results of computations, and an I/O inter- 
face 18 for receiving signals from various sensors 19 
and transmitting control signals to various parts of the 
engine. 

[0023] Signals from various sensors 1 9 include an en- 
gine rotation speed (Ne), an engine water temperature 
(Tw), an intake air temperature (Ta), a battery voltage 
(VB) : and an ignition switch (IGSW). Thus : based on a 



signal input from the I/O interface 18, the CPU 14 in- 
vokes a control program and data from the ROMs 1 6 
and 1 7 to execute computations, and outputs the results 
to various parts of the vehicle via the I/O interface 1 8 to 

5 control various functions of the vehicle. 

[0024] The ECU 10 also comprises an interface 12. 
The interface 12 has a protocol for communication with 
the rewriting device 11 to enable serial communication 
between the ECU 10 and the rewriting device 11. 

10 [0025] The rewritable ROM 1 6 is a non-volatile mem- 
ory from which stored data can be deleted and to which 
new data can be written. The rewritable ROM 16 can 
be, for example, a flash memory or an EEPROM. The 
non-rewritable ROM 17 is a non-volatile memory. The 

is non-rewritable ROM 17 can be implemented by speci- 
fying a part of the memory area of a rewritable ROM as 
an unchangeable area, or by using a mask ROM for 
which data is fixed during manufacturing and from or to 
which data can subsequently not be deleted or written. 

20 Alternatively, the ROM 17 can be implemented with a 
PROM to which data can be written only once. 
[0026] The ROMs 1 6 and 17 can be implemented as 
two memories that are physically separated. Alterna- 
tively, the memory area of a single memory may be di- 

25 vided into two areas so that one of the areas is used as 
a rewritable area, while the other is used as a non-re- 
writable area. For example, after a non-rewritable area 
in which a program or the like is stored has been spec- 
ified in the EEPROM, a rewritable area is specified with 

30 start and end addresses in the unfilled space of the 
memory. 

[0027] A program P1 , which is to be rewritten by the 
rewriting device 11 . is stored in the rewritable ROM 16. 
Programs that implement an authentication part 33, an 
35 initialization part 34, a deleting part 35 and a writing part 
36 are stored in the non-rewritable ROM 17. The au- 
thentication part 33 judges whether the rewriting device 
11 is authentic. If it is judged that the rewriting device is 
authentic, the authentication part 33 releases the secu- 
re rity that prevents data stored in the ROM 1 6 from being 
changed without proper authorization. 
[0028] The initialization part 34 performs an initializa- 
tion process for starting deleting and writing operation. 
The deleting part 35 deletes the program P1 . The writing 
45 part 36 serially receives data blocks representative of a 
new program P2 from the rewriting device 11. The data 
blocks are assembled from program code of the new 
program P2. The writing part 36 writes a partial program 
code included in each data block into the ROM 16. 
50 [0029] The rewriting device 11 comprises a security 
release requesting part 20, a rewriting initialization part 
21 , a deleting requesting part 23, a deleting waiting part 
24, and a deleting result requesting part 25, which are 
stored in a memory of the rewriting device 11 as pro- 
55 grams. The security release requesting part 20 requests 
the ECU 10 to release the security so that rewriting to 
the rewritable ROM 16 of the ECU 10 is permitted. The 
rewriting initialization part 21 performs an initialization 
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process for starting deleting and writing operation. The 
deleting requesting part 23 requests the ECU 10 to de- 
lete the program P1 in the ROM 16. 
[0030] The deleting waiting part 24 waits until a pre- 
determined waiting time DT2 has elapsed from the time 
at which deleting operation is started in the ECU 1 0. For 
the waiting time DT2, the rewriting device 1 1 exchanges 
no message with the ECU TO. In other words, the rewrit- 
ing device 11 is in a waiting state when deleting opera- 
tion is being performed in the ECU 1 0. Thus, an errone- 
ous determination of offline due to a busy state of the 
ECU 1 0 can be avoided. When the waiting time DT2 has 
elapsed, the deleting result requesting part 25 requests 
the result of the deleting operation to determine whether 
the deleting operation is in progress or has been com- 
pleted. 

[0031] The rewriting device 11 also comprises a writ- 
ing requesting part 27, a writing waiting part 28, a writing 
result requesting part 29 and a data block assembling 
part 30, which are stored in a memory as programs. The 
, data block assembling part 30 assembles data blocks 
from the new program P2. Each data block includes a 
program code field for a partial program code of the new 
program P2 and an address field for a leading address 
of the ROM 16 in which the partial program code is to 
be stored/For example, each partial program code has 
a length of eight bits. The data blocks assembled are 
serially sent to the ECU 10 via.serial communication by 
the writing requesting part 27. 

[0032] The writing requesting part 27 requests the 
ECU 10 to write a partial program code of each data 
block in an address of the ROM 16 that is indicated by 
an address value in the address field of each data block. 
[0033] The writing waiting part 28 waits until a prede- 
termined waiting time WT2 has elapsed from the time 
at which writing operation is started in the ECU 10. For 
the waiting time WT2, the rewriting device 1 1 exchanges 
no message with theECU 1 0. in other words, the rewrit- 
ing device 1 1 is in a waiting state when writing operation 
is being performed in the ECU 1 0. Thus, an erroneous 
determination of offline due to a busy state of the ECU 
10 can be avoided. When the waiting time WT2 has 
elapsed, the writing result requesting part 29 requests 
the result of the writing operation to determine whether 
the writing operation is in progress or has been complet- 
ed. 

[0034] The ECU 10 also comprises a deleting time 
calculating part 37 and a writing time calculating part 38. 
The deleting time calculating part 37 calculates the time 
DT necessary to delete the program P1 . A unit time of 
deletion, which can be expressed, for example, in blocks 
or bytes, depends on the type of the ROM 1 6. That is., 
a unit time of deletion is predetermined in accordance 
with the specification of the ROM 16. The deleting time 
calculating part 37 calculates the deleting time DT 
based on the size of the program P1 and a unit time of 
deletion specific to the ROM 16. 

[0035] The writing time calculating part 38 calculates 



the time WT necessary to write a partial program code 
of the new program P2 received from the rewriting de- 
vice 11 . As is the case for deletion, a unit time of writing 
depends on the type of the ROM 16, and is predeter- 

5 mined in accordance with the specification of the ROM 
16. The writing time calculating part 38 calculates the 
writing time WT based on the size of a partial program 
. code of the program P2 and a unit time of writing specific 
' to the ROM 1 6. In this way. the writing time WT is cal- 

10 culated in accordance with the amount of data written 
into the ROM 16 at a time by the writing part 36. 
[0036] In another embodiment, the deleting and writ- 
ing time calculating parts 37 and 38 may be provided in 
the rewriting device 11. The rewriting device 11 may 

'5 have a unit time of deletion and writing specific to the 
ROM 16 in advance. Alternatively, the rewriting device 
11 may request a unit time of deletion and writing from 
the ECU 10. Thus, the deleting time DT and the writing 
time WT are calculated in the rewriting device 1 1 . 

20 [0037] The rewriting device 11 preferably comprises 
a deleting time acquiring part 22 and a writing time ac- 
. quiring part 26. Before or when the deleting requesting 
part 23 requests the ECU 1 0 to delete the program P1 . 
the deleting time acquiring part 22 acquires from the 

25 ECU 1 0 the deleting time DT calculated by the deleting 
time calculating part 37. The deleting time acquiring part 
22 sets the acquired deleting time DT in the waiting time 
DT2. Thus, the rewriting device 11 waits until the delet- 
ing time DT has elapsed from the time at which deleting 

30 operation is started. This enables the waiting time for 
deleting operation to be optimized in accordance with 
the specification of the ROM 1 6, thus improving the ef- 
ficiency of deleting operation. 

[0038] Similarly, before or when the writing requesting 

35 part 27 requests the ECU 1 0 to write a partial program 
code of the new program P2, the writing time requesting 
part 26 acquires from the ECU>10 the writing time WT 
calculated by the writing time calculating part 38. The 
writing time acquiring part 26 sets the acquired writing 

40 time WT in the waiting time WT2. Thus, the rewriting 
device 11 waits until the writing time WT has elapsed 
from the time at which writing operation is started. .This 
enables the waiting time for writing operation to be op- 
timized in accordance with the specification of the ROM 

45 16, thus the efficiency of writing operation being im- 
proved. Alternatively, the waiting time DT2 and WT2 
may be predetermined as fixed values, respectively. 
[0039] The rewriting device 11 also comprises an of- 
fline determining part 31. The offline determining part 

50 31 judges whether communication between the rewrit- 
ing device 1 1 and the ECU 1 0 is offline. More specifical- 
ly, if no response is received from the ECU 10 until a 
predetermined determination time DT1 has elapsed 
from the time at which a request by the rewriting device 

55 1 1 is sent to the ECU 10, the offline. determining part 31 
determines that communication is offline. The request 
may be a request for the deleting time DT, a request for 
deleting operation, or a request for the result of the de- 
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leting operation. 

[0040] Similarly, if no response is received from the 
ECU 10 until a predetermined determination time WT1 
has elapsed from the time at which a request by the re- 
writing device 11 is sent to the ECU 10, the offline de- 
termining part 31 determines that communication is of- 
fline. The request may be a request for the writing time 
WT, a request for writing operation, or a request for the 
result of the writing operation. The value of the determi- 
nation time WT1 may be consistent with or different from 
that of the determination time DT1 . 
[0041] FIG. 2 shows rewriting operation according to 
the rewriting system shown in FIG. 1 . The rewriting op- 
eration is initiated, for example, by operating the rewrit- 
ing device 11 after it has been connected to the ECU 
1 0. Alternatively, the rewriting operation may be initiated 
by operating the ECU 10. 

[0042] At step 41 , the security release requesting part 

20 of the rewriting device 1 1 sends a signal to the ECU 

10 indicative of a request for releasing security. The 
ECU 10 responds to the signal to invoke the authenti- 
cation part 33. The authentication part 33 initiates an 
authentication process for confirming that the author- 
ized rewriting device is connected. 

[0043] The authentication process can be carried out 
in different manners. For example, the rewriting device 

11 and the ECU 1 0 have security functions, respectively. 
The rewriting device 1 1 calculates its own function value 
for a given number and sends the calculated value to 
the ECU 1 0. On the other hand, the ECU 1 0 calculates 
its own function value for the same number. The ECU 
1 0 compares the value calculated by itself with the value 
received from the rewriting device 11. The ECU 10 de- 
termines that the rewriting device is authentic if the two 
values are the same. The ECU 1 0 sends a signal to the 
rewriting device 11 indicative of a permission of rewrit- 
ing. Thus, the security is released. 

[0044] If the ECU 10 authenticates the rewriting de- 
vice 1 1 and permits it to rewrite to the ROM 1 6. the proc- 
ess proceeds to step 42. The rewriting initialization part 

21 of the rewriting device 1 1 sends a signal to the ECU 
10 indicative of start of. rewriting. The initialization part 
34 of the ECU 1 0 returns a signal indicative of a permis- 
sion of rewriting when ready for rewriting. 

[0045] At step 43, the rewriting device 11 sends a re- 
quest to the ECU 1 0 for shifting to a rewriting operation 
mode. The initialization part 34 of the ECU 1 0 executes 
a process of shifting to the rewriting operation mode. At 
step 44, the rewriting initialization part 21 of the rewriting 
device 1 1 queries the ECU 1 0 if the shift has been com- 
pleted. If the shift has been completed, the rewriting in- 
itialization part 34 of the ECU 10 sends a signal to the 
rewriting device 11 indicative of completion of the shift. 
[0046] At step 45, the deleting time acquiring part 22 
of the rewriting device 11 requests the time necessary 
to delete the program P1 . In response to the request, 
the deleting time calculating part 37 of the ECU 1 0 cal- 
culates the deleting time DT and sends it to the rewriting 



device 11. The deleting time acquiring part 22 sets the 
acquired deleting time DT in the waiting time DT2. At 
step 46, the deleting requesting part 23 of the rewriting 
device 11 requests the ECU 10 to delete the program 
5 P1 . In response to the request, the deleting part 35 of 
the ECU 1 0. sends a signal indicative of start of deleting 
operation. 

[0047] When receiving the signal indicative of start of 
deleting operation, the rewriting device 1 1 enters a wait- 
10 ing state. The rewriting device 1 1 waits until the waiting 
time DT2 has elapsed. Alternatively, the elapsed time of 
the waiting time DT2 may be measured from the time at 
which the request for deleting operation is sent. Forthe 
waiting time DT2, the deleting operation of the program 

15 P1 js performed by the deleting part 35 of the ECU 1 0. 
[0048] When the waiting time DT2 has elapsed, the 
deleting result requesting part 25 of the rewriting device 
1 1 requests the result of the deleting operation (step 47). 
When the deleting operation of the program P1 has 

20 been completed, the deleting part 35 of the ECU 10 
sends a signal to the rewriting device 11 indicative of 
completion of the deleting operation. 
[0049] In the rewriting device 1 1 , the new program P2 
has been prepared by the data block assembling part 

25 30 as data blocks. Assembling of the data blocks from 
the program P2 is typically performed before the secu- 
rity release request or the rewriting start signal is sent 
to the ECU 10. Alternatively, it may be performed imme- 
diately before step 47 or 48. 

30 [0050] At step 48, the writing time acquiring part 26 of. 
the rewriting device 11 requests the time necessary to 
write the new program P2. in response to the request, 
the writing time calculating part 38 of the ECU 1 0 calcu- 
lates the writing time WT and sends it to the rewriting 

35 device 11 . The writing time acquiring part 26 sets the 
writing time WT in the waiting time WT2. 
[0051] At step 49, the writing requesting part 27 of the 
rewriting device 11 transfers a data block including a 
partial program code of the new program P2 to the ECU 

40 1 o together with a signal indicative of a request for writ- 
ing operation. In response to the request, the writing part 
36 of the ECU 1 0 sends a signal to the rewriting device 
1 1 indicative of start of writing operation. The writing part 
36 writes the partial program code included in the data 

45 blockto the ROM 1 6. The partial program code is written 
in an address of the ROM 16 that is indicated by the 
address field of the data block. A check mechanism may 
be provided for determining whether the address value 
in the address field of the data block is included in ad- 

50 dresses of data deleted by the deleting part 35. 

[0052] When receiving the signal indicative of start of 
writing operation, the rewriting device 11 enters a wait- 
ing state. The rewriting device 11 waits until the waiting 
time WT2 has elapsed. Alternatively, the elapsed time 

55 of the waiting time WT2 may be measured from the time 
at which the request for writing operation is sent. Forthe 
waiting time WT2, writing of the program P2 is per- 
formed by the writing part 36 of the ECU 1 0. 
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[0053] When the waiting time WT2 has elapsed, the . 
writing result requesting part 29 of the rewriting device 
11 requests the result of the writing operation (step 50). 
When the writing operation of the partial program code 
of the program P2 has been completed, the writing part 
36 of the ECU 1 0 sends a signal to the rewriting device 
11 indicative of completion of the writing operation. 
[0054] The writing requesting part 27 transfers a next 
data block to the ECU 10 if the completion signal indi- 
cates abnormal end. The steps 49 and 50 are repeated 
until all the program code of the program P2 is written 
into the ROM 16. When writing of all the program code 
has been completed, the writing requesting part 27 re- 
quests the ECU 10. to release the rewriting operation 
mode (step 51). In response to the request, the writing 
part 36 releases the rewriting operation mode. 
[0055] FIGS. 3A and 3B together are a flow chart of 
a deleting and writing operation carried out in the rewrit- 
ing device 11 . At step 60, the rewriting device 11 sends 
a signal indicative of a request for the deleting time to 
the ECU 1 0. When the deleting time DT is received from 
the ECU (step 61 ), the deleting time DT is set in the wait- 
ing time DT2 (step 64). The rewriting device 11 sends a 
signal to the ECU 10 indicative of a request for deleting 
operation (step 65). 

[0056] If there is no response from the ECU 1 0 at step 
61, it is determined whether the predetermined determi- 
nation time DT1 (for example, 30 milliseconds) has 
elapsed from the time at which- the request is sent at 
step 60 (step 62). Similarly, if there is no response from 
the ECU 1 0 at step 66, it is determined whether the pre- 
determined determination time DT1 has elapsed from 
the time at which the request is sent at step 65 (step 67). 
If the determination time DT1 has not elapsed, the proc- 
ess returns to steps 61 and 66, respectively, and the re- 
writing device 11 waits a response from the ECU 10 
again. If the determination-time DT1 has elapsed, it is 
determined that communication between the rewriting 
device 11 and the ECU 10 is offline (steps 63 and 68). 
[0057] If there is a response from the ECU 1 0 at step 
66, the process proceeds to step 69. At step 69, the re- 
writing device 11 waits until the waiting time DT2 (for 
example, 400 milliseconds) has elapsed from the time 
at which the response is received at step 66. When the 
waiting time DT 2 has elapsed, the rewriting device 
sends a signal to the ECU 1 0 indicative of a request for 
the result of the deleting operation (step 70). If there is 
a response from the ECU 10 (step 71), it is checked 
whether the response indicates completion of the delet- 
ing operation (step 72). If the response indicates the 
completion of the deleting operation, the process pro- 
ceeds to step 76, If the deleting operation is in progress, 
the process returns to step 70, and the signal indicative 
of a request for the result of the deleting operation is 
sent to the ECU 10 again. Alternatively, the return to step 
70 may be made after a predetermined period. 
[0058] At step 71 , if there is no response from the ECU 
10, it is checked whether the determination time DT1 



has elapsed from the time at which the request is sent 
at step 70 (step 73). If-the'determination time DT1 has 
not elapsed, the process returns to step 71 , and the re- 
writing device 11 waits a response from the ECU 10 

5 again. If the determination time DT1 has elapsed, it is 
determined that the communication is offline (step 75). 
[0059] Thus, by waiting until the waiting time DT2 has 
elapsed from the start of deleting operation, an errone- 
ous determination of offline due to a busy state of the 

10 ECU can be avoided. In addition, the efficiency of delet- 
ing operation can be improved because the deleting 
time DT according to the specification of the ROM is set 
in the waiting time DT2. 

[0060] At step 76, the process proceeds to step 80 in 
'5 FIG. 3B if the deleting operation ends normally. If the 
deleting operation does not end normally, the process 
exits from thjs routine. 

[0061] At step 80, a signal indicative of a request for 
the writing time is sent to the ECU 1 0. The rewriting de- 

20 vice receives the writing time WT and sets it in the wait- 
ing time WT2 (step 84). The process proceeds to step 
-85, and a data block including a partial program code of 
the new program P2 is transferred to the ECU 10. 
[0062] If there is no response from the ECU 10 at step 

25 81 , it is determined whether the predetermined determi- 
nation time WT1 (for example, 30 milliseconds) has 
elapsed from the. time at which the request is sent at 
step 80 (step 82). Similarly, if there is no response from 
the ECU 1 0 at step 86, it is determined whether the pre- 

30 -determined determination time WT1 has elapsed from 
the time at which the request is sent at step 85 (step 87). 
If the determination time WT1 has not elapsed, the proc- 
ess returns to steps 81 and 86, respectively, and rewrit- 
. ing device 1 1 waits a response from the ECU 1 0 again. 

35 if the determination time WT1 has elapsed, it is deter- 
mined that the communication is offline (steps 83 and 
88). 

[0063] If there is a response from the ECU 10 at step 
86, the process proceeds to step 89. At step 89, the re- 

40 writing device 11 enters a waiting state and waits until 
the waiting time WT2 (for example, 40 milliseconds) has 
elapsed. When the waiting time WT2 has elapsed, the 
rewriting device sends a signal to the ECU 1 0 indicative 
of a request for the result of the writing operation (step 

4 5 go). If there is a response to the request, it is checked 
whetherthe response indicates completion of the writing 
operation (step 92). If the response indicates completion 
of the writing operation, the process proceeds to step 
96. If. the writing operation is in progress, the process 

50 returns to step 90, and the rewriting device 1 1 sends the 
signal indicative of a request for the result of the writing 
': operation to the ECU 10 again. The return to step 90 
may be made after a predetermined period. 
[0064] If there is no response from the ECU 1 0. at step 

55 91 ( it is checked whether the determination time WT1 
has elapsed from the time at which the request is sent 
at step 90 (step 93). If the determination time WT1 has 
not elapsed, the process returns to step 91 , and.the re- 
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writing device waits a response from the ECU 1 0 again. 
If there is no response from the ECU until the determi- 
nation time WT1 has elapsed, the rewriting device 11 
determines that the communication is offline (step 95). 
[0065] Thus, by waiting until the waiting time WT2 has 
elapsed from the start of writing operation, an erroneous 
determination of offline due to a busy state of the ECU 
can be avoided. In addition, the efficiency of writing op- 
eration can be improved because the writing time WT 
according to the specification of the ROM is set in the 
waiting time WT2. 

[0066] At step 96, if it is determined that the writing 
operation ends normally, the process proceeds to step 
97. If all the program code of the new program P2 has 
not been sent to the ECU 10, the process returns to step 
80 to send a next data block. If all the program code of 
the new program P2 is sent to the ECU 1 0, the process 
exits from this routine. 

[0067] FIG. 4 shows a flow chart of deleting and writ- 
ing operation carried out by the ECU 10. If a signal in- 
dicative of a request for the deleting time is received at 
step 101, the deleting time DT is sent to the rewriting 
device 11 (step 102). If a signal indicative of a request 
for deleting operation is received at step 103, a signal 
indicative of start of the deleting operation is sent to the 
rewriting device 11 (step 104), and deleting operation is 
performed (step 105). When a signal indicative of a re- 
quest for the result of the deleting operation is received 
from the rewriting device 11 (step 106), a signal indica- 
tive of the result of the deleting operation is sent to the 
rewriting device 11 (step 107). The result signal shows 
the state of the deleting operation, in such a mannerthat 
a value "1" indicates completion of the deleting opera- 
tion and a value "0" indicates that the deleting operation 
is in progress. 

[0068] In a similar way, if a signal indicative of a re- 
quest for the writing time is received from the rewriting 
device 11 (step 111), the writing time WT is calculated 
and is sent to the rewriting device 1'1 (step 11 2). If a data 
block of the new program P2 is received from the rewrit- 
ing device 11 at step 113, a signal indicative of start of 
writing operation is sent to the rewriting device 11 (step 
114) : and a partial program code included in the re- 
ceived data block is written into the ROM 16 (step 115). 
If a signal indicative of a request for the result of the 
writing operation is received from the rewriting device 
1 1 (step 1 1 6) : the result of the writing operation is sent 
to the rewriting device 11 (step 117). The writing result 
signal shows the state of the writing operation, in such 
a manner that a value "1" indicates completion of the 
writing operation and a value "0" indicates that the writ- 
ing operation is in progress. The transfer of the new pro- 
gram P2 from the rewriting device 11 to the ECU 10 is 
executed for each data block. Therefore, steps 113 
through 1 1 7 are repeated until all the data blocks of the 
new program P2 are received (step 118). 



Claims 

1 . A rewriting device for deleting data stored in a mem- 
ory (16) of a vehicle controller (10); 

5 the rewriting device (11) being capable of 

communicating with the vehicle controller (10) and 
configured to wait without communicating with the 
vehicle controller until a predetermined waiting time 
elapses from the time at which a signal for request- 

10 ing deletion of the data is sent to the vehicle con- 
troller or from the time at which a signal indicative 
of start of deleting operation of the data is received 
from the vehicle controller. 

'5 2. The rewriting device of claim 1 , wherein the prede- 
termined waiting time is the time necessary to de- 
lete the data stored in the memory (16). 

3. The rewriting device of claim 2, further configured 
20 to acquire from the vehicle controller (1 0) the delet- 
ing time prior to requesting deletion of the data, and 
to set the acquired deleting time in the predeter- 
mined waiting time. 

25 4. The rewriting device of claim 2, wherein the deleting 
time is calculated based on the size of the data and 
the specification of the memory (16). 

5. A rewriting device for rewriting data stored in a 
30 memory (16) of a vehicle controller (10) with new 

data; 

the rewriting device (11) capable of commu- 
nicating with the vehicle controller (10) and config- 
ured to wait without communicating with the vehicle 

35 controller until a predetermined waiting time elaps- 

es from the time at which a signal for requesting the 
vehicle controller to write the new data is sent to the 
vehicle controller or from the time at which a signal 
indicative of start of writing operation of the new da- 

40 ta is received from the vehicle controller. 

6. The rewriting device of claim 5, wherein the prede- 
termined waiting time is the time necessary to write 
the new data into the memory (16). 

45 

7. The rewriting device of claim 6, further configured 
to acquire from the vehicle controller (1 0) the writing 
time prior to requesting the writing operation of the 
new data, and to set the acquired writing time in the 

50 predetermined waiting time. 

8. The rewriting device of claim 6. wherein the writing 
time is calculated based on the size of the new data 
and the specification of the memory (1 6). 

55 

9. A rewriting system for rewriting data stored in a 
memory (16) of a vehicle controller (10) with new 
data: the system comprising: 
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a rewriting device (11) capable of communi- 
cating with the vehicle controller (10), the rewriting 
device configured to wait without communicating 
with the vehicle controller until a predetermined 
waiting time elapses from the time at which a signal 
for requesting the vehicle controller to delete the da- 
ta or write the new data is sent, or from the time at 
which a signal indicative of start of deleting opera- 
tion of the data or writing operation of the new data 
, is received. 

10. The rewriting system of claim 9, wherein the prede- 
termined waiting time for the deleting operation is 
the time necessary to delete the data stored in the 
memory (1 6) and the predetermined waiting time for 
the writing operation is the time necessary to write 
the new data into the memory (1 6). 

11. The rewriting system of claim 10, wherein the vehi- 
cle controller (10) is configured to calculate the de- 
leting time necessary to delete the data in the mem- 
ory (1 6); and 

wherein the deleting^time is sent from the ve- 
hicle controller to the rewriting device (11). 

12. The rewriting system of claim 1 0 or 1 1 , wherein the 
vehicle controller (10) is configured to calculate the 
writing time necessary to write the new data into the 
memory (16); and 

wherein the writing time is sent from the vehi- 
cle controller to the rewriting device (11). 



calculating the time necessary to delete the da- 
ta stored in the memory (16); and 
.setting the deleting time in the waiting time. 

5 17. A method for rewriting data stored in a memory (16) 
of a vehicle controller (10) with new data via a re- 
writing device (11) capable of communicating with 
. the vehicle controller; the method comprising: 

10 sending a request asking the vehicle controller 

(1 0) to write the new data into the memory (1 6); 
and 

at the rewriting device (11), waiting until a pre- 
determined waiting time elapses from the time 
15 at which the request is sent; 

wherein, during the waiting time, there is no ex- 
change of message between the vehicle con- 
troller (10) and the rewriting device (11). 

20 18. The method of claim 17, further comprising: 

when the waiting time has'elapsed. sending 
a request for the result of the writing operation to 
. the vehicle controller (10). 

25 19. The method of claim 17 or 1 8, further comprising: 

calculating the time necessary to write the new 
data into the memory (1 6); and . 
setting the writing time in the waiting time. 
30 - 



13. The rewriting system of claim 10, wherein the de- 
leting time and writing time are calculated in accord- 
ance with the specification of the memory (16), re- 
spectively. 



35 



14. A method for rewriting data stored in a memory (16) 
of a vehicle controller (1 0) via a rewriting device (11 ) 
capable of communicating with the vehicle control- 
ler; the method comprising: 

sending a request asking the vehicle controller 
(1 0) to delete the data in the memory (1 6); and 
at the rewriting device (11), waiting until a pre- 
determined waiting time elapses from the time 
at which the request is sent: 
wherein, during the waiting time, there is no ex- 
change of message between the vehicle con- 
troller (10) and the rewriting device (11 ). 

15. The method of claim 14, further comprising: 

when the waiting time has elapsed, sending 
a request for the result of the deleting operation to 
the vehicle controller (10). 



16. The method of claim 14 or 15, further comprising: 
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